BlueSAM provides a Cobalt Strike Beacon Object File (BOF) that targets the BlueHammer vulnerability. This tool pulls a copy of the Windows SAM database by mimicking Windows Defender update processes and Volume Shadow Copy Service (VSS) behavior. It then handles offline registry data directly within a Cobalt Strike Beacon session. Developed in C, the project sits on GitHub under incursi0n/BlueSAM and has gathered 150 stars.
The approach stems from a need to access sensitive credential data without triggering common detection methods. Standard SAM dumps often rely on tools like Mimikatz or direct registry access, which defenders monitor closely. BlueSAM sidesteps this by exploiting how Windows handles Defender updates to create shadow copies, then extracts and processes the data post-compromise. It builds directly on Nightmare-Eclipse's BlueHammer proof-of-concept, adapting it into a lightweight BOF format for Cobalt Strike integration.
What BlueSAM does
BlueSAM runs as a BOF, meaning it executes in-memory within a Beacon without dropping files to disk. Its core workflow includes:
- Exploiting BlueHammer: Triggers a vulnerable code path in Windows Defender's update mechanism to snapshot the SAM hive via VSS.
- SAM extraction: Copies the SAM database from the shadow copy, focusing on the registry hive at
%SystemRoot%\System32\config\SAM. - Offline processing: Parses the extracted data in Beacon for hashes and credentials, outputting results to the operator.
- Minimal arguments: Accepts no arguments for default operation or any input to display a help menu.
A sample run, as shown in the project's README screenshot, displays Beacon output like " [+] BlueSAM BOF started", followed by steps for VSS creation, SAM copy, and hash extraction. It lists NTLM hashes for accounts such as Administrator and Guest. The process completes in seconds, logging success or errors like "Failed to create shadow copy."
This keeps the operation contained within Cobalt Strike's aggressor scripts, using the bluesam.cna file for seamless command integration.
Building the BOF
Setup requires basic build tools for C on a development machine, typically Windows with Visual Studio or a cross-compiler setup. The README provides straightforward steps.
Start by cloning the repository:
git clone https://github.com/incursi0n/BlueSAM.git
Navigate into the directory and compile with Make, which handles the BOF linking:
cd BlueSAM
make
This generates the bluesam.x64.o object file (and x86 variant if configured). The build relies on standard BOF templates, pulling in dependencies like those from trustedsec's CS-Situational-Awareness-BOF base. No additional libraries or runtimes install beyond a C toolchain and Make. Developers familiar with Cobalt Strike BOFs note that make resolves paths to headers like beacon.h.
Common pitfalls include missing MinGW or Visual Studio Build Tools, which provide the linker for BOF format. The project uses boflink and other credited templates for compatibility.
Integrating and running in Cobalt Strike
Once built, load the BOF into Cobalt Strike. Import the provided Aggressor Script:
- Open Cobalt Strike.
- Go to Script Manager > Load and select
bluesam.cna.
This registers the bluesam command in Beacons. Execute it on a compromised host:
bluesam
No further arguments needed for standard use. With any argument, like bluesam help, it prints the usage table:
Command Description
(none) Runs the BlueSAM BOF with the default target behavior.
any argument Shows this help menu.
Target Windows versions with the BlueHammer flaw—typically those running affected Defender builds. Post-run, Beacon console shows extracted hashes in LM/NTLM format, ready for cracking tools like Hashcat.
Operators report reliable execution on domain controllers or workstations, assuming Beacon shell access and local admin rights for VSS snapshots.
Who this targets
BlueSAM suits red team operators and penetration testers using Cobalt Strike. It fits scenarios where post-exploitation demands stealthy credential access. During engagements, teams hit roadblocks with live registry queries flagged by EDR. This BOF offers a fileless alternative, processing data offline in Beacon.
Use cases include:
- Dumping local admin hashes on endpoints without lsass access.
- Harvesting SAM from DCs via Cobalt Strike pivots.
- Testing Defender bypasses in purple team exercises.
It's not for static analysis or non-Cobalt Strike environments. Beginners without BOF experience might struggle, as it assumes Beacon deployment and Aggressor scripting knowledge.
Development origins and credits
The project credits several open-source efforts. Primary inspiration comes from Nightmare-Eclipse's BlueHammer PoC at https://github.com/Nightmare-Eclipse/BlueHammer, which first demonstrated the Defender VSS trick. BOF packaging uses MEhrn00/boflink (https://github.com/MEhrn00/boflink), TrustedSec's situational awareness base (https://github.com/trustedsec/CS-Situational-Awareness-BOF/tree/master/src/base_template), and CodeXTF2's bof_template (https://github.com/CodeXTF2/bof_template).
These components ensure cross-architecture support (x64 primary) and error handling aligned with Cobalt Strike standards. The C codebase stays lean, around a few hundred lines, focusing on syscall stubs for evasion.
Comparisons to similar tools
BlueSAM narrows in on BlueHammer specifically, unlike broader credential dumpers. The original BlueHammer PoC requires standalone execution, dropping artifacts, while this BOF version runs in-memory.
Alternatives include:
- SecretsDump or Mimikatz BOFs: Pull from lsass or remote registries but lack the VSS stealth angle. Heavier footprint.
- SAM hive parsers like RegRipper: Offline tools needing manual extraction first.
- Other Cobalt Strike BOFs from TrustedSec's repo, such as registry queries, but without the Defender exploit.
BlueSAM stands out for its narrow focus—faster than full Mimikatz on high-sec hosts but dependent on the unpatched BlueHammer vuln. Once Microsoft patches propagate, efficacy drops.
For teams avoiding BOFs, full executables like BlueHammer exist, though they increase detection risk. If VSS access fails, fallback to reg save commands via Beacon works but generates more noise.
BlueSAM works best in licensed Cobalt Strike setups for authorized testing. Check the GitHub repo at https://github.com/incursi0n/BlueSAM for updates, as patches could impact future runs. Those new to BOFs should study the credits first.
Comments